CVE-2024-8862 – dtale

Package

Manager: pip
Name: dtale
Vulnerable Version: >=0 <3.14.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS: 0.00607 pctl0.68706

Details

D-Tale Command Execution Vulnerability D-Tale is the combination of a Flask back-end and a React front-end to bring you an easy way to view & analyze Pandas data structures. In dtale\views.py, under the route @dtale.route("/chart-data/<data_id>"), the query parameters from the request are directly passed into run_query for execution. And the run_query function calls proceed without performing any processing or sanitization of the query parameter. As a result, the query is directly used in the df.query method for data retrieval. Tthe engine used is `python`, which allows executing the query expression ans leading to a command execution vulnerability.

Metadata

Created: 2024-09-16T14:37:27Z
Modified: 2024-09-20T19:50:07Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-fg5m-m723-7mv6/GHSA-fg5m-m723-7mv6.json
CWE IDs: ["CWE-74"]
Alternative ID: GHSA-fg5m-m723-7mv6
Finding: F184
Auto approve: 1